Timed for Easter this year is the seventh weekly release candidate for the Linux 7.0 kernel. If all goes well, Linux 7.0 stable will be out next week...

Hundreds of theatres are now showing a new documentary called The AI Doc: Or How I Became An Apocaloptimist. Variety calls it "playful and heady,"edited "with a spirit of ADHD alertness." The New York Times suggests it "tries to cover so much that it ends up being more confusing than clarifying, but parts are fascinating." But the Los Angeles Times calls it an "aggravating soup of information and opinion that wants to move at the speed of machine thought." So while co-director Daniel Roher asks whether he should bring a child into a world with AI, "Perhaps more urgently, should Roher have made an AI doc that treats us like children?" First, he parades all the safety doomers, seeming to believe their warnings that an unfeeling superintelligence is upon us and we can't trust it. Then, sufficiently disturbed, he hauls in the AI cheerleaders, a suspiciously positive gang who can envision only medical miracles and grindless lives in which we're all full-time artists. Only then, after this simplistic setup where platitudes reign, do we get the section in which the subject is treated like the brave (and grave) new world it is: geopolitically fraught, economically tenuous and a playground for billionaires. Why couldn't the complexity have been the dialogue from the beginning, instead of the play-dumb cartoon "The AI Doc" feels like for so long? Maybe Roher believes this is what our increasingly gullible, truth-challenged citizenry needs from an explanatory doc: a flashy, kindhearted reminder that we're the change we need to be. Read more reactions here and here. Mashable warns the documentary's director "will ultimately craft a journey that feels like a panic attack in real time. In the end, you may not feel better about mankind's chances against the rise of AI. But you'll likely feel less helpless in the future before us all." They also point out that the film "shares some ways its audience can more actively be apart of the conversation, and provides a link to the film's website for engagement," where 6,948 people have now signed up for its newsletter. ("Demand a seat at the table," urges its signup button, under a warning that "Government and AI companies are designing our future without us. We need to reclaim our voice in shaping the future of AI...")

Read more of this story at Slashdot.

Meet the "journalist" who "uploads press releases or analyst notes into AI tools and prompts them to spit out articles that he can edit and publish quickly," according to the Wall Street Journal. "AI-assisted stories accounted for nearly 20% of Fortune's web traffic in the second half of 2025." And most were written by 42-year-old Nick Lichtenberg, who has now written over 600 AI-assisted stories, producing "more stories in six months than any of his colleagues at Fortune delivered in a year." One Wednesday in February, he cranked out seven. "I'm a bit of a freak," Lichtenberg said... A story by Lichtenberg sometimes starts with a prompt entered into Perplexity or Google's NotebookLM, asking it to write something based on a headline he comes up with. He moves the AI tools' initial drafts into a content-management system and edits the stories before publishing them for Fortune's readers... A piece from earlier that morning about Josh D'Amaro being named Disney CEO took 10 minutes to get online, he said... Like other journalists, Lichtenberg vets his stories. He refers back to the original documents to confirm the information he's reporting is correct. He reaches out to companies for comment. But he admits his process isn't as thorough as that of magazine fact-checkers. While Lichtenberg started out saying his stories were co-authored with "Fortune Intelligence", he now typically signs his own name, according to the article, "because he feels the work is mostly his own." (Though his stories "sometimes" disclose generative AI was used as a research tool...) The article asks with he could be "a bellwether for where much of the media business is headed..." "Much of the content people now consume online is generated by artificial intelligence, with some 9% of newly published newspaper articles either partially or fully AI-generated, according to a 2025 study led by the University of Maryland. The number of AI-generated articles on the web surpassed human-written ones in late 2024, according to research and marketing agency Graphite." Some executives have made full-throated declarations about the threat posed by AI. New York Times publisher A.G. Sulzberger said AI "is almost certainly going to usher in an unprecedented torrent of crap," referencing deepfakes as an example. The NewsGuild of New York, the union representing Fortune employees and journalists at other media outlets, said the people are what makes journalism so powerful. "You simply can't replicate lived experiences, human judgment and expertise," said president Susan DeCarava. For Chris Quinn, the editor of local publications Cleveland.com and the Plain Dealer, AI tools have helped tame other torrents facing the industry. AI has allowed the outlets to cover counties in Ohio that otherwise might go ignored by scraping information from local websites and sending "tips" to reporters, he said. It has also edited stories and written first drafts so the newsrooms' journalists can focus on the calls, research and reporting needed for their stories.... Newsrooms from the New York Times to The Wall Street Journal are deploying AI in various ways to help reporters and editors work more efficiently.... Not all newsrooms disclose their use of AI, and in some cases have rolled out new tools that resulted in errors or PR gaffes. An October study from the European Broadcasting Union and the BBC, which relied on professional journalists to evaluate the news integrity of more than 3,000 AI responses, found that almost half of all AI responses had at least one significant issue. Last week the New York Times even issued a correction when a freelance book reviewer using an AI tool unknowingly included "language and details similar to those in a review of the same book published in The Guardian." But it was actually "the second time in a few days that the Times was called out for potential AI plagiarism," according to the American journalist writing The Handbasket newsletter. We must stem the idea being pushed by tech companies and their billionaire funders who've sunk too much into their products to admit defeat that the infiltration of AI into journalism is inevitable; because from my perch as an independent journalist, it simply is not... Some AI-loving journalists appear to believe that if they're clear enough with the AI program they're using, it will truly understand what they're seeking and not just do what it's made to do: steal shit... If you want to work with machines, get a job that requires it. There are a whole lot more of those than there are writing jobs, so free up space for people who actually want to do the work. You're not doing the world a favor by gifting it your human/AI hybrid. Journalism will not miss you if you leave... But meanwhile, USA Today recently tried hiring for a new position: AI-Assisted reporter. (The lucky reporter will "support the launch and scaling of AI-assisted local journalism in a major U.S. metro," working with tools including Copilot and Perplexity, pioneering possible future expansions and "AI-enabled newsroom operations that support and augment human-led journalism.") And Google is already sponsoring a "publishing innovation award"...

Read more of this story at Slashdot.

One crime ring scammed 2,000 elderly people of more than $27 million between 2021 and 2023 using tech support/bank impersonation/refund scams. "Victims were in their 70s and 80s," reports the U.S. Attorney's office for California's southern district. Victims were first told they'd received a refund (either online or via phone), but then told they'd been "over-refunded" a massive amount, and asked to return that amount. But 42-year-old Jiandong Chen just admitted Thursday in a U.S. federal court that he was involved in the fraud and money laundering via cryptocurrency — pleading guilty to two charges with maximum penalties of 40 years in prison and a $1 million fine, plus 20 years in prison with a maximum fine of $500,000 or twice the amount laundered. "Chen, a Chinese national, is the second defendant charged in a five-defendant indictment." And what tripped him up seems to be that "Certain members of the conspiracy also did in-person pickups of money directly from victims..." And so YouTube enters the story — when the scammers called pranksters with 1,790,000 subscribers to their "Trilogy Media" channel. In an elaborate three-hour video, the team of pranksters lured the scammer to a rented Airbnb where they're staging a fake funeral with a nun. (One of the men acting in the video remembers "we start doing a prayer... I'm holding the scammer's hand in my nun outfit...") They convince the scammer to collect the cash from a dead man — "Is there anything you'd like to say to him?" Then there's demon voices. The scammer's victim resurrects from the dead. Did the cash mule bring holy water? The end result was a video titled "CONFRONTING SCAMMERS WITH A FAKE FUNERAL (EPIC REACTIONS)". But two and a half years later, their "cash mule sting house" video has racked up over 1.3 million views, 22,000 likes, and 2,979 comments. ("This video is longer than Oppenheimer. Thanks for the laughs fellas.") And the scammer is facing 60 years in prison.

Read more of this story at Slashdot.

11 days ago Apple launched device-level age restrictions in the U.K. There were some glitches, reports the blog 9to5Mac. For me, the experience was an entirely painless one, taking less than 30 seconds. All I had to do was tap a confirm and continue button, and Apple told me that the length of time I'd had an Apple account was used to confirm that I'm 18+. Others, however, experienced difficulties with the process timing out or failing to complete. We summarized some of the steps you can take to try to address this. Apple has since listed additional acceptable ways to verify your age. "You can confirm your age with a credit card, or by scanning a driver's license or one of the following PASS-accredited Proof of Age cards: CitizenCard, My ID Card, TOTUM ID card, or Young Scot National Entitlement Card." If you don't verify your age, then you'll be treated as a child or teenager, meaning that both the web content filter and communication safety features are switched on. Apple is continuing the roll-out in Singapore (population 6 million) and South Korea (population 52 million), the article points out, citing a new Apple support document. South Korea's law actually requires Apple to re-verify someone's age annually.

Read more of this story at Slashdot.

It's finally time: a patch queued into one of the development branches ahead of the upcoming Linux 7.1 merge window is set to finally begin the process of phasing out and ultimately removing Intel 486 CPU support from the Linux kernel. Anyone still using an i486 CPU with an upstream Linux kernel would be incredibly rare and no known Linux distribution vendors are still shipping with i486 CPU support, but in case you are, you can continue to be running one of the existing Linux LTS kernel versions...

"Google has announced that it's currently testing a new feature for Chrome 148 that could speed up day-to-day browsing," reports PC World: [T]he browser can intelligently postpone the loading of certain elements. Why load all images at the start when it can instead load images as you get close to them while scrolling? Chrome and Chromium-based browsers have had built-in lazy loading support for images and iframes since 2019, but this feature would make browsers capable of lazy loading video and audio elements, too. Note, however, that this won't benefit YouTube video embeds — those are already lazy loadable since they're embedded using iframes. Actual video and audio elements are rarer but not uncommon. In addition to Chrome, lazy loading of video and audio elements is also expected to be added to other Chromium-based browsers, including Microsoft Edge and Vivaldi.

Read more of this story at Slashdot.

Plants, toads, and mushrooms "can all produce psychedelic substances," writes ScienceAlert. "And now their powers have been combined in one plant." [S]cientists have taken the genes these organisms use to make five natural psychedelics and introduced them into a tobacco plant ( Nicotiana benthamiana), which then produced all five compounds simultaneously. As interest grows in psychedelics as potential treatments for illnesses such as depression, anxiety, and PTSD, the newly developed system could offer scientists a new way to produce these compounds for research purposes... [P]rogress in this field remains limited, in part due to regulatory restrictions, underscoring the need for more research. This creates practical challenges for scientists. "Traditionally, the supply of psychedelics relies on natural producers, mainly plants, fungi, and the Sonoran Desert toad," the researchers write. "Harvesting these organisms for their psychoactive compounds raises ecological and ethical concerns, being increasingly threatened by habitat loss and overexploitation..." [T]he team carefully monitored the plant's production of five psychedelic tryptamines: DMT originally from plants; psilocin and psilocybin from mushrooms; and bufotenin and 5-MeO-DMT from toads. The modified tobacco plants were found to produce all five compounds simultaneously. The article points out that the researchers "also took it a step further." By tweaking the enzymes they were able to "produce modified versions of the compounds that do not naturally occur in plants, and which may also have therapeutic value."

Read more of this story at Slashdot.

A nice Easter surprise are some last minute updates submitted to DRM-Next of the final planned AMDGPU/AMDKFD feature changes for the upcoming Linux 7.1 feature cycle...

Casque audio avec réduction active du bruit – Bluetooth 5.4 – Son LDAC – Connexion multipoint – Égaliseur 8 modes – 45 H d’autonomie avec ANC – recharge rapide 5 minutes pour 5 heures – passage d’appel – charge USB Type-C – contrôle par boutons physiques – casque se plie pour transport facile. Disponible à 27.06€ sur Amazon.

J’ai acheté ce casque Sport Max 5C en décembre dernier. Ce n’est pas le meilleur casque que j’ai eu de ma vie mais il fait parfaitement le boulot, est solide, propose une autonomie très confortable et une annulation de bruit convaincante. C’est LE casque qui me sert pour bricoler, sortir le chien et écouter des podcasts. À côté, j’ai toujours un excellent XM Sony pour de la musique, qui lui est supérieur en rendu sonore. Il peut, il coûtait 10 fois plus. Mais j’apprécie énormément le fait de pouvoir piloter le Sport Max 5C avec des gants quand je bricole ou qu’il fait froid. Je l’ai payé 29.99€ à l’époque et je ne regrette pas un centime.

Voir l’offre sur Amazon

Retrouvez tous mes bons plans sur Mistermatos.com

Bon Flan : Le casque Bluetooth UGREEN Sport Max 5C à 27€ © MiniMachines.net. 2026

"Canonical is no longer pretending that 4GB is enough," writes the blog How-to-Geek, noting Ubuntu 26.04 LTS "raises the baseline memory to 6GB, alongside a 2GHz dual-core processor, and 25GB of storage..." Ubuntu 14.04 LTS (Trusty Tahr) set the floor at 1GB — a modest ask when it launched more than a decade ago in 2014. Then came the Ubuntu 18.04 LTS (Bionic Beaver) that pushed the number to 4GB, surviving quite well in the era of 16GB being considered standard for mid-range laptops.... Ubuntu's new minimum requirement lands in an interesting spot when compared against Windows 11. Microsoft's operating system requires just 4GB RAM, although real-world usage often tells a different story. Usually, 8GB is considered the sweet spot to handle modern apps and multitasking. The blog OMG Ubuntu argues this change is "not because Ubuntu requires 2GB more memory than it did, but more the way we compute does." it's more of an honesty bump. Components that make up the distro — the GNOME desktop and extensions, modern web browsers (and the sites we load in them) and the kinds of apps we use (and keep running) whilst multitasking are more demanding... The Resolute Raccoon's memory requirements better reflect real-world multitasking. Ubuntu 26.04 LTS can be installed on devices with less than 6GB RAM (but not less than 25GB of disk space). The experience may not be as smooth or as responsive as developers intend (so you don't get to complain), but it will work. I installed Ubuntu 26.04 Beta on a laptop with just 2 GB of memory — slow to the point of frustration in use, but otherwise functional. If you have a device with 4 GB RAM and you can't upgrade (soldered memory is a thing, and e-waste can be avoided), then alternatives exist. Many Ubuntu flavours, like Lubuntu, have lower system requirements than the main edition. Plus, there's always the manual option using the Ubuntu netboot installer to install a base system and then built out a more minimal system from there.

Read more of this story at Slashdot.

For helping with the increase of AI tools scouring the Linux kernel source tree and sending security bug reports, a pull request sent today ahead of the Linux 7.0-rc7 improves the documentation to better guide AI agents -- and anyone reading the documentation -- how to send better quality bug reports...

La AOOSTAR TA95X3D est la première carte de type MoDT de la marque. Elle était annoncée en septembre dernier et elle nous donne aujourd’hui plus de détails. Si on en a déjà croisé quelques-unes de ces cartes chez Minisforum, ce format particulier est encore peu répandu. MoDT est un sigle pour Mobile on DeskTop qui désigne des cartes mères au format tour classique – souvent en Mini-ATX – avec un processeur mobile soudé directement à bord.

L’idée d’une carte comme cette TA95X3D est donc de proposer un processeur performant mais peu gourmand en énergie et qui n’aura donc pas besoin d’une monstruosité en refroidissement. À la clé, des configurations compactes et efficaces, peu bruyantes et des capacités secondaires souvent assez spécialisées. 

Le Ryzen 9 9955HX3D est un processeur mobile de la gamme « Fire Range » performant qui développe 16 cœurs Zen5 pour 32 Threads avec des fréquences allant de 2.5 à 5.4 GHz. Il fonctionne sur un TDP de base de 55 W et embarque un « petit » circuit graphique Radeon 610M. Petit car avec ses 2 cœurs à 2.2 GHz, il ne sert que pour des usages très classiques de la machine et ne proposera pas de grosses capacités de jeu 3D.  La raison en est simple, la carte AOOSTAR TI95X3D présente un port PCIe Gen5 x16 avec une connectivité x8. De quoi monter une carte externe qui sera plus puissante et ventilée de son côté. L’idée d’AMD étant de garder un processeur relativement facile à dissiper d’un côté pour que les fabricants de portables puissent intégrer un circuit graphique secondaire plus facilement. C’est également une puce que nous avons croisée dans des MiniPC spécialisés pour le jeu chez Asus et Thunderobot.

Pour protéger cette puce, on retrouve donc une méthode assez classique sur ce type de carte, à savoir un ensemble de caloducs qui va répartir la chaleur au mieux sur une plaque d’échange afin d’accueillir un ventirad classique. Autour de la puce, on retrouve deux slots de mémoire au format DDR5 DIMM et 2 emplacements M.2 2280 NVMe PCIe Gen5 x4 dissipés. Quatre ports SATA3 supplémentaires sont également disponibles.

La partie réseau propose un port Ethernet 5 Gigabit Realteck RTL8126. Un module MediaTek MT7902 assurera la prise en charge d’un réseau Wi-Fi6E et Bluetooth 5.2. La carte propose également toute une connectique avec DisplayPort 2.0, HDMI 2.1, trois USB 2.0 Type-A, trois  USB 3.0 Type-A, des sorties et entrées audio et optique.

En interne, la connectique supplémentaire permettra de brancher un panneau avant, des broches USB 2.0, USB 3.0 et USB 3.2, des ventilateurs, de l’USB 3.2 Type-C avec DisplayPort et PowerDelivery et même de coquettes LEDs RGB.

La Aoostar TA95X3D comme base pour construire de multiples scénarios

Bref, de quoi construire une machine relativement compacte avec un processeur puissant qu’on pourra épauler d’une carte graphique secondaire et d’une belle capacité de stockage. La présence d’un port Ethernet 5 Gigabit ouvrira la voie à des usages réseau, sachant que des cartes filles PCIe pourront servir à proposer d’autres fonctions que le jeu avec des extensions réseau, stockage ou calcul. 

Commercialisée en Chine, elle tient pour le moment le prix annoncé en fin d’année dernière, à savoir les 4799 Yuans (600€HT). En ligne elle est annoncée à 749$ soit environ 650€ HT. Aoostar la met en avant comme une carte « gaming » et on imagine effectivement la possibilité de se monter une petite configuration compacte performante en lui adjoignant une carte graphique correcte, un peu de mémoire vive et de stockage. Reste à savoir le prix global d’un tel joujou actuellement, Entre le prix de la carte, du châssis, du système de refroidissement et des autres composants mémoire, stockage et graphique, une solution intégrée dans un ordinateur portable sera peut-être paradoxalement moins chère. L’avantage restant au format MoDT étant la possibilité de monter le processeur au maximum de ses capacités avec une solution de dissipation haut de gamme.

AOOSTAR TA95X3D : une carte Mini-ATX sous Ryzen 9 9955HX3D © MiniMachines.net. 2026

Zubeyr Almaho has been leading work on a new HID driver named hid-omg-detect with an intent on passive monitoring to watch out for any malicious HID devices being connected to the system...

Seeing new Linux patches for benefiting Sega Dreamcast devices wasn't on my bingo card for 2026. A patch series was sent out today for fixing the Linux kernel's GD-ROM driver for accessing media using the drivers on "real" Sega Dreamcast devices...

As a small but interesting addition coming for this quarter's Mesa 26.1 release is making it easy to simulate a GPU reset with the LLVMpipe software driver. While seemingly mundane, this can be quite handy for compositor developers and other app/software developers wanting to more easily test how their code behaves when encountering a GPU reset...

Apple's 50th anniversary got celebrated in weird and wild ways. CEO Tim Cook posted a special 30-second video rewinding backwards through the years of Apple's products until it reaches the Apple I. Podcaster Lex Fridman noticed if you play the sound in reverse, "It's the Think Different ad music, pitched up." TechRadar played seven 50-year-old Apple I games on an emulator, including Star Trek, Blackjack, Lunar Lander, and of course, Conway's Game of Life. And Macworld ranked Apple's 50 most influential people. (Their top five?) 5. Tony Fadell (iPhone co-creator/"father of the iPod") 4. Sir Jony Ive 3. Steve Wozniak 2. Tim Cook 1. Steve Jobs One of the most thoughtful celebraters was David Pogue, who's spent 42 years of writing about Apple (starting as a MacWorld columnist and the author of Mac for Dummies, one of the first "...For Dummies" books ever published in the early 1990s.) Now 63 years old, Pogue spent the last two years working on a 608-page hardcover book titled Apple: The First 50 Years. But on his Substack Pogue, contemplated his own history with the company — including several interactions with Steve Jobs. Pogue remembers how Jobs "hated open systems. He wanted to make self-contained, beautiful machines. He didn't want them polluted by modifications." The tech blog Daring Fireball notes that Pogue actually interviewed Scott Forstall (who'd led the iPhone's software development team) for his new book, "and got this story, about just how far Steve Jobs thought Apple could go to expand the iPhone's software library while not opening it to third-party developers." "I want you to make a list of every app any customer would ever want to use," he told Forstall. "And then the two of us will prioritize that list. And then I'm going to write you a blank check, and you are going to build the largest development team in the history of the world, to build as many apps as you can as quickly as possible." Forstall, dubious, began composing a list. But on the side, he instructed his engineers to build the security foundations of an app store into the iPhone's software-"against Steve's knowledge and wishes," Forstall says. [...] Two weeks after the iPhone's release, someone figured out how to "jailbreak" the iPhone: to hack it so that they could install custom apps. Jobs burst into Forstall's office. "You have to shut this down!" But Forstall didn't see the harm of developers spending their efforts making the iPhone better. "If they add something malicious, we'll ship an update tomorrow to protect against that. But if all they're doing is adding apps that are useful, there's no reason to break that." Jobs, troubled, reluctantly agreed. Week by week, more cool apps arrived, available only to jailbroken phones. One day in October, Jobs read an article about some of the coolest ones. "You know what?" he said. "We should build an app store." Forstall, delighted, revealed his secret plan. He had followed in the footsteps of Burrell Smith (the Mac's memory-expansion circuit) and Bob Belleville (the Sony floppy-drive deal): He'd disobeyed Jobs and wound up saving the project. In fact, the book "includes new interviews with 150 key people who made the journey, including Steve Wozniak, John Sculley, Jony Ive, and many current designers, engineers, and executives" (according to its description on Amazon). Pogue's book even revisits the story of Steve Jobs proving an iPod prototype could be smaller by tossing it into an aquarium, shouting "If there's air bubbles in there, there's still room. Make it smaller!" But Pogue's book "added that there's a caveat to this compelling bit of Apple lore," reports NPR. "It never actually happened. It's just one more Apple myth."

Read more of this story at Slashdot.

Chaque semaine, on tombe sur des mods qui partent dans tous les sens, et d'autres qui restent très sages, presque trop. Du full RGB bien chargé au build ultra clean façon station bureautique premium, il y a de tout, vraiment de tout. Et c'est justement ce mélange qui fait le sel de ces découvertes : des configs parfois inutiles, parfois géniales, souvent un peu folles, mais toujours intéressantes à regarder pour le passionné que l'on est. On est clairement dans une vitrine du savoir-faire et de la créativité, avec des machines qui cherchent autant à impressionner qu'à fonctionner. Bref, du mod pour le plaisir des yeux, sans forcément chercher la moindre cohérence… et c'est aussi ça qui est cool. […]

Lire la suite

"Hackers briefly turned a widely trusted developer tool into a vehicle for credential-stealing malware that could give attackers ongoing access to infected systems," the news site Axios.com reported Tuesday, citing security researchers at Google. The compromised package — also named axios — simplifies HTTP requests, and reportedly receives millions of downloads each day: The malicious versions were removed within roughly three hours of being published, but Google warned the incident could have "far-reaching impacts" given the package's widespread use, according to John Hultquist, chief analyst at Google Threat Intelligence Group. Wiz estimates Axios is downloaded roughly 100 million times per week and is present in about 80% of cloud and code environments. So far, Wiz has observed the malicious versions in roughly 3% of the environments it has scanned. Friday PCMag notes the maintainer's compromised account had two-factor authentication enabled, with the breach ultimately traced "to an elaborate AI deepfake from suspected North Korean hackers that was convincing enough to trick a developer into installing malware," according to a post-mortem published Thursday by lead developer Jason Saayman: [Saayman] fell for a scheme from a North Korean hacking group, dubbed UNC1069, which involves sending out phishing messages and then hosting virtual meetings that use AI deepfakes to clone the face and voices of real executives. The virtual meetings will then create the impression of an audio problem, which can only be "solved" if the victim installs some software or runs a troubleshooting command. In reality, it's an effort to execute malware. The North Koreans have been using the tactic repeatedly, whether it be to phish cryptocurrency firms or to secure jobs from IT companies. Saayman said he faced a similar playbook. "They reached out masquerading as the founder of a company, they had cloned the company's founders likeness as well as the company itself," he wrote. "They then invited me to a real Slack workspace. This workspace was branded... The Slack was thought out very well, they had channels where they were sharing LinkedIn posts. The LinkedIn posts I presume just went to the real company's account, but it was super convincing etc." The hackers then invited him to a virtual meeting on Microsoft Teams. "The meeting had what seemed to be a group of people that were involved. The meeting said something on my system was out of date. I installed the missing item as I presumed it was something to do with Teams, and this was the remote access Trojan," he added. "Everything was extremely well coordinated, looked legit and was done in a professional manner." Friday developer security platform Socket wrote that several more maintainers in the Node.js ecosystem "have come out of the woodwork to report that they were targeted by the same social engineering campaign." The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target. It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers. Attackers also targeted several Socket engineers, including CEO Feross Aboukhadijeh. Feross is the creator of WebTorrent, StandardJS, buffer, and dozens of widely used npm packages with billions of downloads... Commenting on the axios post-mortem thread, he noted that this type of targeting [against individual maintainers] is no longer unusual... "We're seeing them across the ecosystem and they're only accelerating." Jordan Harband, John-David Dalton, and other Socket engineers also confirmed they were targeted. Harband, a TC39 member, maintains hundreds of ECMAScript polyfills and shims that are foundational to the JavaScript ecosystem. Dalton is the creator of Lodash, which sees more than 137 million weekly downloads on npm. Between them, the packages they maintain are downloaded billions of times each month. Wes Todd, an Express TC member and member of the Node Package Maintenance Working Group, also confirmed he was targeted. Matteo Collina, co-founder and CTO of Platformatic, Node.js Technical Steering Committee Chair, and lead maintainer of Fastify, Pino, and Undici, disclosed on April 2 that he was also targeted. His packages also see billion downloads per year... Scott Motte, creator of dotenv, the package used by virtually every Node.js project that handles environment variables, with more than 114 million weekly downloads, also confirmed he was targeted using the same Openfort persona. Socket reports that another maintainer was targetted with an invitation to appear on a podcast. (During the recording a suspicious technical issue appeared which required a software fix to resolve....) Even just technical implementation, "This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package," the CI/CD security company StepSecurity wrote Tuesday The dropper contacts a live command-and-control server, delivers separate second-stage payloads for macOS, Windows, and Linux, then erases itself and replaces its own package.json with a clean decoy... Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct. Within two seconds of npm install, the malware was already calling home to the attacker's server before npm had even finished resolving dependencies... Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline. "As preventive steps, Saayman has now outlined several changes," reports The Hacker News, "including resetting all devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions to adopt best practices." The Wall Street Journal called it "the latest in a string of incidents exposing risks in the systems that underpin how modern software is built."

Read more of this story at Slashdot.

Nine days ago Microsoft released a non-security "preview" update for Windows 11 — not mandatory for the average Windows user, notes ZDNet, "but rather as optional, more for IT admins and power users who want to test them." TechRepublic adds that the update "was to bring 'production-ready improvements' and generally ensure system stability by optimizing different Windows services." So it's ironic that some (but not all) users reported instead that the update "blocks users at the door, refusing to install or crashing midway through the process." "It apparently impacted enough people to force Microsoft to take action," writes ZDNet. "Microsoft paused and then pulled the update," and then Tuesday released a new update "designed to replace the glitchy one. This one includes all the new features and improvements from the previous preview update, but also fixes the installation issues that clobbered that update." Meanwhile, as Windows 11 version 24H2 approaches its end of life this October, Microsoft is now force-updating users to the latest version, reports BleepingComputer: "The machine learning-based intelligent rollout has expanded to all devices running Home and Pro editions of Windows 11, version 24H2 that are not managed by IT departments," Microsoft said in a Monday update to the Windows release health dashboard... "No action is required, and you can choose when to restart your device or postpone the update." Neowin reports: The good news is that the update from version 24H2 to 25H2 is a minor enablement package, as the two operating systems share the same codebase. As such, the update won't take long, and you should not encounter any disruptions, compatibility issues, or previously unseen bugs... Microsoft recently promised to implement big changes in how Windows Update works, including the ability to postpone updates for as long as you want. However, Microsoft has yet to clarify if that includes staying on a release beyond its support period. Thanks to long-time Slashdot reader Ol Olsoc for sharing the news.

Read more of this story at Slashdot.